crypto/tls: incompatibility with Trust Settings in CA certificate #31881
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?golang:latest @ docker
go env
OutputWhat did you do?
Standard crypto/tls library is incompatible with CA certificates (either root or intermediate one) when they contain Trust Settings (https://www.openssl.org/docs/manmaster/man1/x509.html#TRUST_SETTINGS):
Since widely used MS AD-based CAs DO have such Settings in their certs, it is hard to use encrypted connections in golang programms in such environments.
What did you expect to see?
The successfull TLS-handshake.
What did you see instead?
In our case server's cert is issued by intermediate CA which is issued by root CA and
server.crt
contains server's cert followed by the intermediate CA's one.In the case when the Trust Settings are present in the intermediate's cert, tls-negotiation fails with the following errors:
client.go:40: tls: failed to parse certificate from server: asn1: syntax error: trailing data
server.go:55: remote error: tls: bad certificate
If only the root's cert contains the Settings, the errors are slightly different:
client.go:40: x509: certificate signed by unknown authority
server.go:55: remote error: tls: bad certificate
(Example client&server apps are available at https://github.com/kruftik/go-tls-vs-windows-ad-ca, build.sh prepares binaries)
Once the Settings are being stripped from both root and intermedia CA certs with the
openssl x509 -in rootCA.crt -out rootCA.clean.crt
command, the problem is going away.The text was updated successfully, but these errors were encountered: